Skip to content

v0.2.0 plan — workflow, validation, and credential chain

Scope: Roadmap v0.2.0 items that improve how operators progress from findings to re-checks and chained exploits.

Parallel work: v0.2.0-detection-track.md (model-scan, BentoML, W&B, LiteLLM).


Workstream D: validate command

Rationale: Re-run checks against live targets to label findings confirmed / stale / remediated and produce deltas for long engagements.

Step Task Notes
D1 Input: engagement JSON/JSONL (reuse pkg/report FindingCollection) CLI: aipostex validate -i findings.json (shape TBD)
D2 Target resolution per finding URL from Target, module-specific base URL
D3 Per-source validation strategy Light re-probe: HTTP HEAD/GET, template subset, or module-specific “ping”
D4 Output finding metadata e.g. validation_status, validated_at, prior finding ID link
D5 Console + JSON/JSONL writers Match internal/output patterns
D6 Tests Table-driven with httptest; no flaky network
D7 Docs Operator workflow: discover → assess → validate

Dependencies: Stable finding identity (merge/dedupe already uses hash of identity fields in cmd/aipostex/merge.go).

Risk: Scope creep — ship MVP (one or two sources, e.g. vulncheck + fingerprint URL reachability) before full matrix.


Workstream E: Automatic credential forwarding (credchain)

Rationale: Today internal/credchain feeds workflow recommendation text; roadmap asks to auto-inject credentials into the next exploit invocation where safe.

Step Task Notes
E1 Audit current cred extraction and suggestion surfaces Grep credchain in cmd/aipostex
E2 Design: env vars vs flag injection vs temp config OPSEC: never log secrets; align with AIPOSTEX_* env conventions
E3 Map credential type → module flags e.g. Jupyter token, OpenAI key for openai-compat
E4 Opt-in flag (--use-credchain or config) Default off or conservative to avoid surprise auth
E5 Tests Redact secrets in evidence; unit tests with fake env
E6 Docs Security warning and examples

Dependencies: May interact with validate (re-check with same creds) — optional integration in v0.2.1.


Workstream F: Reporting hooks (light touch for v0.2.0)

Roadmap v0.8.0 owns campaign reporting; for v0.2.0 only:

Step Task Notes
F1 Ensure validate output merges into report / bundle cleanly No new report format required for MVP
F2 Optional: single “engagement summary” field on collection If cheap to add

Suggested order within this track

  1. D1–D4 MVP for one source type (prove the UX).
  2. E1–E3 design doc in PR description + E4–E5 minimal implementation for one module pair (e.g. network finding → jupyter token).
  3. F1 before release candidate.

Exit criteria (workflow track)

  • validate documented and tested for agreed MVP scope
  • Credchain auto-forward behind explicit operator consent, with tests for redaction
  • Roadmap updated: which v0.2.0 workflow bullets shipped vs deferred